NEW 199527
Fix DFGArgumentEliminationPhase's NewArrayBuffer check 
https://bugs.webkit.org/show_bug.cgi?id=199527
Summary Fix DFGArgumentEliminationPhase's NewArrayBuffer check
Michael Catanzaro
Reported 2019-07-05 12:49:55 PDT
Coverity has flagged this code from r226033 "[FTL] NewArrayBuffer should be sinked if it is only used for spreading" in ArgumentsEliminationPhase::eliminateCandidatesThatEscape as a likely copy/paste error: case LoadVarargs: if (node->loadVarargsData()->offset && (node->child1()->op() == NewArrayWithSpread || node->child1()->op() == Spread || node->child1()->op() == NewArrayBuffer)) escape(node->child1(), node); break; case CallVarargs: case ConstructVarargs: case TailCallVarargs: case TailCallVarargsInlinedCaller: escape(node->child1(), node); escape(node->child2(), node); if (node->callVarargsData()->firstVarArgOffset && (node->child3()->op() == NewArrayWithSpread || node->child3()->op() == Spread || node->child1()->op() == NewArrayBuffer)) // <-- likely error here escape(node->child3(), node); break; It looks like this was probably supposed to be node->child3()->op() == NewArrayBuffer, but I don't pretend to understand anything under Source/JavaScriptCore. Yusuke should look at it.
Attachments
Add attachment proposed patch, testcase, etc.
Saam Barati
Comment 1 2019-08-30 16:02:16 PDT
Yeah I think coverity is right!
Radar WebKit Bug Importer
Comment 2 2019-09-18 22:33:52 PDT
<rdar://problem/55507104>
Note You need to log in before you can comment on or make changes to this bug.